|
Medium |
Content Security Policy (CSP) Header Not Set |
| Description |
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
|
|
| URL |
http://NPM:3000 |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 105 bytes.
|
GET http://NPM:3000 HTTP/1.1
host: NPM:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 15:49:48 GMT
ETag: W/"7c3-18d55e99883"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 15:51:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/ |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 315 bytes.
|
GET http://npm:3000/ HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Upgrade-Insecure-Requests: 1
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 15:49:48 GMT
ETag: W/"7c3-18d55e99883"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 15:51:44 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/.git/assets/public/favicon_js.ico |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 139 bytes.
|
GET http://npm:3000/.git/assets/public/favicon_js.ico HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 15:49:48 GMT
ETag: W/"7c3-18d55e99883"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 15:51:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://NPM:3000/.git/index |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 116 bytes.
|
GET http://NPM:3000/.git/index HTTP/1.1
host: NPM:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 15:49:48 GMT
ETag: W/"7c3-18d55e99883"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 15:51:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/.git/main.js |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 118 bytes.
|
GET http://npm:3000/.git/main.js HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 15:49:48 GMT
ETag: W/"7c3-18d55e99883"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 15:51:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/.git/polyfills.js |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 123 bytes.
|
GET http://npm:3000/.git/polyfills.js HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 15:49:48 GMT
ETag: W/"7c3-18d55e99883"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 15:51:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/.git/runtime.js |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 121 bytes.
|
GET http://npm:3000/.git/runtime.js HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 15:49:48 GMT
ETag: W/"7c3-18d55e99883"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 15:51:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/.git/styles.css |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 121 bytes.
|
GET http://npm:3000/.git/styles.css HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 15:49:48 GMT
ETag: W/"7c3-18d55e99883"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 15:51:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/.git/vendor.js |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 120 bytes.
|
GET http://npm:3000/.git/vendor.js HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 15:49:48 GMT
ETag: W/"7c3-18d55e99883"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 15:51:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://NPM:3000/.svn/entries |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 118 bytes.
|
GET http://NPM:3000/.svn/entries HTTP/1.1
host: NPM:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 15:49:48 GMT
ETag: W/"7c3-18d55e99883"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 15:51:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://NPM:3000/.svn/wc.db |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 116 bytes.
|
GET http://NPM:3000/.svn/wc.db HTTP/1.1
host: NPM:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 15:49:48 GMT
ETag: W/"7c3-18d55e99883"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 15:51:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/ftp |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 109 bytes.
|
GET http://npm:3000/ftp HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 338 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Content-Type: text/html; charset=utf-8
Content-Length: 11073
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 15:51:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 11,062 bytes.
|
<!DOCTYPE html>
<html>
<head>
<meta charset='utf-8'>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
<title>listing directory /ftp</title>
<style>* {
margin: 0;
padding: 0;
outline: 0;
}
body {
padding: 80px 100px;
font: 13px "Helvetica Neue", "Lucida Grande", "Arial";
background: #ECE9E9 -webkit-gradient(linear, 0% 0%, 0% 100%, from(#fff), to(#ECE9E9));
background: #ECE9E9 -moz-linear-gradient(top, #fff, #ECE9E9);
background-repeat: no-repeat;
color: #555;
-webkit-font-smoothing: antialiased;
}
h1, h2, h3 {
font-size: 22px;
color: #343434;
}
h1 em, h2 em {
padding: 0 5px;
font-weight: normal;
}
h1 {
font-size: 60px;
}
h2 {
margin-top: 10px;
}
h3 {
margin: 5px 0 10px 0;
padding-bottom: 5px;
border-bottom: 1px solid #eee;
font-size: 18px;
}
ul li {
list-style: none;
}
ul li:hover {
cursor: pointer;
color: #2e2e2e;
}
ul li .path {
padding-left: 5px;
font-weight: bold;
}
ul li .line {
padding-right: 5px;
font-style: italic;
}
ul li:first-child .path {
padding-left: 0;
}
p {
line-height: 1.5;
}
a {
color: #555;
text-decoration: none;
}
a:hover {
color: #303030;
}
#stacktrace {
margin-top: 15px;
}
.directory h1 {
margin-bottom: 15px;
font-size: 18px;
}
ul#files {
width: 100%;
height: 100%;
overflow: hidden;
}
ul#files li {
float: left;
width: 30%;
line-height: 25px;
margin: 1px;
}
ul#files li a {
display: block;
height: 25px;
border: 1px solid transparent;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
overflow: hidden;
white-space: nowrap;
}
ul#files li a:focus,
ul#files li a:hover {
background: rgba(255,255,255,0.65);
border: 1px solid #ececec;
}
ul#files li a.highlight {
-webkit-transition: background .4s ease-in-out;
background: #ffff4f;
border-color: #E9DC51;
}
#search {
display: block;
position: fixed;
top: 20px;
right: 20px;
width: 90px;
-webkit-transition: width ease 0.2s, opacity ease 0.4s;
-moz-transition: width ease 0.2s, opacity ease 0.4s;
-webkit-border-radius: 32px;
-moz-border-radius: 32px;
-webkit-box-shadow: inset 0px 0px 3px rgba(0, 0, 0, 0.25), inset 0px 1px 3px rgba(0, 0, 0, 0.7), 0px 1px 0px rgba(255, 255, 255, 0.03);
-moz-box-shadow: inset 0px 0px 3px rgba(0, 0, 0, 0.25), inset 0px 1px 3px rgba(0, 0, 0, 0.7), 0px 1px 0px rgba(255, 255, 255, 0.03);
-webkit-font-smoothing: antialiased;
text-align: left;
font: 13px "Helvetica Neue", Arial, sans-serif;
padding: 4px 10px;
border: none;
background: transparent;
margin-bottom: 0;
outline: none;
opacity: 0.7;
color: #888;
}
#search:focus {
width: 120px;
opacity: 1.0;
}
/*views*/
#files span {
display: inline-block;
overflow: hidden;
text-overflow: ellipsis;
text-indent: 10px;
}
#files .name {
background-repeat: no-repeat;
}
#files .icon .name {
text-indent: 28px;
}
/*tiles*/
.view-tiles .name {
width: 100%;
background-position: 8px 5px;
}
.view-tiles .size,
.view-tiles .date {
display: none;
}
/*details*/
ul#files.view-details li {
float: none;
display: block;
width: 90%;
}
ul#files.view-details li.header {
height: 25px;
background: #000;
color: #fff;
font-weight: bold;
}
.view-details .header {
border-radius: 5px;
}
.view-details .name {
width: 60%;
background-position: 8px 5px;
}
.view-details .size {
width: 10%;
}
.view-details .date {
width: 30%;
}
.view-details .size,
.view-details .date {
text-align: right;
direction: rtl;
}
/*mobile*/
@media (max-width: 768px) {
body {
font-size: 13px;
line-height: 16px;
padding: 0;
}
#search {
position: static;
width: 100%;
font-size: 2em;
line-height: 1.8em;
text-indent: 10px;
border: 0;
border-radius: 0;
padding: 10px 0;
margin: 0;
}
#search:focus {
width: 100%;
border: 0;
opacity: 1;
}
.directory h1 {
font-size: 2em;
line-height: 1.5em;
color: #fff;
background: #000;
padding: 15px 10px;
margin: 0;
}
ul#files {
border-top: 1px solid #cacaca;
}
ul#files li {
float: none;
width: auto !important;
display: block;
border-bottom: 1px solid #cacaca;
font-size: 2em;
line-height: 1.2em;
text-indent: 0;
margin: 0;
}
ul#files li:nth-child(odd) {
background: #e0e0e0;
}
ul#files li a {
height: auto;
border: 0;
border-radius: 0;
padding: 15px 10px;
}
ul#files li a:focus,
ul#files li a:hover {
border: 0;
}
#files .header,
#files .size,
#files .date {
display: none !important;
}
#files .name {
float: none;
display: inline-block;
width: 100%;
text-indent: 0;
background-position: 0 50%;
}
#files .icon .name {
text-indent: 41px;
}
}
#files .icon-directory .name {
background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAABGdBTUEAALGPC/xhBQAAAWtQTFRFAAAA/PPQ9Nhc2q402qQ12qs2/PTX2pg12p81+/LM89NE9dto2q82+/fp2rM22qY39d6U+/bo2qo2/frx/vz32q812qs12qE279SU8c4w9NZP+/LK//367s9y7s925cp0/vzw9t92//342po2/vz25s1579B6+OSO2bQ0/v799NyT8tE79dld8Msm+OrC/vzx79KA2IYs7s6I9d6R4cJe9+OF/PLI/fry79OF/v30//328tWB89RJ8c9p8c0u9eCf//7+9txs6sts5Mdr+++5+u2z/vrv+/fq6cFz8dBs8tA57cpq+OaU9uGs27Y8//799NdX/PbY9uB89unJ//z14sNf+emh+emk+vDc+uys9+OL8dJy89NH+eic8tN5+OaV+OWR9N2n9dtl9t529+KF9+GB9Nue9NdU8tR/9t5y89qW9dpj89iO89eG/vvu2pQ12Y4z/vzy2Ict/vvv48dr/vzz4sNg///+2Igty3PqwQAAAAF0Uk5TAEDm2GYAAACtSURBVBjTY2AgA2iYlJWVhfohBPg0yx38y92dS0pKVOVBAqIi6sb2vsWWpfrFeTI8QAEhYQEta28nCwM1OVleZqCAmKCEkUdwYWmhQnFeOStQgL9cySqkNNDHVJGbiY0FKCCuYuYSGRsV5KgjxcXIARRQNncNj09JTgqw0ZbkZAcK5LuFJaRmZqfHeNnpSucDBQoiEtOycnIz4qI9bfUKQA6pKKqAgqIKQyK8BgAZ5yfODmnHrQAAAABJRU5ErkJggg==);
}
#files .icon-text .name {
background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAQAAAC1+jfqAAAABGdBTUEAAK/INwWK6QAAABl0RVh0U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAADoSURBVBgZBcExblNBGAbA2ceegTRBuIKOgiihSZNTcC5LUHAihNJR0kGKCDcYJY6D3/77MdOinTvzAgCw8ysThIvn/VojIyMjIyPP+bS1sUQIV2s95pBDDvmbP/mdkft83tpYguZq5Jh/OeaYh+yzy8hTHvNlaxNNczm+la9OTlar1UdA/+C2A4trRCnD3jS8BB1obq2Gk6GU6QbQAS4BUaYSQAf4bhhKKTFdAzrAOwAxEUAH+KEM01SY3gM6wBsEAQB0gJ+maZoC3gI6iPYaAIBJsiRmHU0AALOeFC3aK2cWAACUXe7+AwO0lc9eTHYTAAAAAElFTkSuQmCC);
}
#files .icon-default .name {
background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAQAAAC1+jfqAAAABGdBTUEAAK/INwWK6QAAABl0RVh0U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAC4SURBVCjPdZFbDsIgEEWnrsMm7oGGfZrohxvU+Iq1TyjU60Bf1pac4Yc5YS4ZAtGWBMk/drQBOVwJlZrWYkLhsB8UV9K0BUrPGy9cWbng2CtEEUmLGppPjRwpbixUKHBiZRS0p+ZGhvs4irNEvWD8heHpbsyDXznPhYFOyTjJc13olIqzZCHBouE0FRMUjA+s1gTjaRgVFpqRwC8mfoXPPEVPS7LbRaJL2y7bOifRCTEli3U7BMWgLzKlW/CuebZPAAAAAElFTkSuQmCC);
}
</style>
<script>
function $(id){
var el = 'string' == typeof id
? document.getElementById(id)
: id;
el.on = function(event, fn){
if ('content loaded' == event) {
event = window.attachEvent ? "load" : "DOMContentLoaded";
}
el.addEventListener
? el.addEventListener(event, fn, false)
: el.attachEvent("on" + event, fn);
};
el.all = function(selector){
return $(el.querySelectorAll(selector));
};
el.each = function(fn){
for (var i = 0, len = el.length; i < len; ++i) {
fn($(el[i]), i);
}
};
el.getClasses = function(){
return this.getAttribute('class').split(/\s+/);
};
el.addClass = function(name){
var classes = this.getAttribute('class');
el.setAttribute('class', classes
? classes + ' ' + name
: name);
};
el.removeClass = function(name){
var classes = this.getClasses().filter(function(curr){
return curr != name;
});
this.setAttribute('class', classes.join(' '));
};
return el;
}
function search() {
var str = $('search').value.toLowerCase();
var links = $('files').all('a');
links.each(function(link){
var text = link.textContent.toLowerCase();
if ('..' == text) return;
if (str.length && ~text.indexOf(str)) {
link.addClass('highlight');
} else {
link.removeClass('highlight');
}
});
}
$(window).on('content loaded', function(){
$('search').on('keyup', search);
});
</script>
</head>
<body class="directory">
<input id="search" type="text" placeholder="Search" autocomplete="off" />
<div id="wrapper">
<h1><a href=".">~</a> / <a href="ftp">ftp</a></h1>
<ul id="files" class="view-tiles"><li><a href="ftp/quarantine" class="icon icon-directory" title="quarantine"><span class="name">quarantine</span><span class="size"></span><span class="date">1/3/2024 11:00:46 PM</span></a></li>
<li><a href="ftp/acquisitions.md" class="icon icon icon-md icon-text" title="acquisitions.md"><span class="name">acquisitions.md</span><span class="size">909</span><span class="date">1/3/2024 11:00:46 PM</span></a></li>
<li><a href="ftp/announcement_encrypted.md" class="icon icon icon-md icon-text" title="announcement_encrypted.md"><span class="name">announcement_encrypted.md</span><span class="size">369237</span><span class="date">1/3/2024 11:00:46 PM</span></a></li>
<li><a href="ftp/coupons_2013.md.bak" class="icon icon icon-bak icon-default" title="coupons_2013.md.bak"><span class="name">coupons_2013.md.bak</span><span class="size">131</span><span class="date">1/3/2024 11:00:46 PM</span></a></li>
<li><a href="ftp/eastere.gg" class="icon icon icon-gg icon-default" title="eastere.gg"><span class="name">eastere.gg</span><span class="size">324</span><span class="date">1/3/2024 11:00:46 PM</span></a></li>
<li><a href="ftp/encrypt.pyc" class="icon icon icon-pyc icon-default" title="encrypt.pyc"><span class="name">encrypt.pyc</span><span class="size">573</span><span class="date">1/3/2024 11:00:46 PM</span></a></li>
<li><a href="ftp/incident-support.kdbx" class="icon icon icon-kdbx icon-default" title="incident-support.kdbx"><span class="name">incident-support.kdbx</span><span class="size">3246</span><span class="date">1/3/2024 11:00:46 PM</span></a></li>
<li><a href="ftp/legal.md" class="icon icon icon-md icon-text" title="legal.md"><span class="name">legal.md</span><span class="size">3047</span><span class="date">1/29/2024 3:49:44 PM</span></a></li>
<li><a href="ftp/package.json.bak" class="icon icon icon-bak icon-default" title="package.json.bak"><span class="name">package.json.bak</span><span class="size">4291</span><span class="date">1/3/2024 11:00:46 PM</span></a></li>
<li><a href="ftp/suspicious_errors.yml" class="icon icon icon-yml icon-text" title="suspicious_errors.yml"><span class="name">suspicious_errors.yml</span><span class="size">723</span><span class="date">1/3/2024 11:00:46 PM</span></a></li></ul>
</div>
</body>
</html>
|
| URL |
http://NPM:3000/sitemap.xml |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 117 bytes.
|
GET http://NPM:3000/sitemap.xml HTTP/1.1
host: NPM:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 15:49:48 GMT
ETag: W/"7c3-18d55e99883"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 15:51:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLws6A&sid=0MP_vNZikbW3zHoLAAAA |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 384 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLws6A&sid=0MP_vNZikbW3zHoLAAAA HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 15:51:45 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwt28&sid=UoKXJ_6XT6XNx5aoAAAC |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 405 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwt28&sid=UoKXJ_6XT6XNx5aoAAAC HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
Cookie: language=en
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 15:51:49 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwu8r&sid=A8RvNqU7b_0V7zN3AAAE |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 384 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwu8r&sid=A8RvNqU7b_0V7zN3AAAE HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 15:51:54 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwv8t&sid=QDA2ftkJS6qPlsD7AAAG |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 384 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwv8t&sid=QDA2ftkJS6qPlsD7AAAG HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 15:51:58 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwwCi&sid=56QbZR6DBW5xyl8ZAAAI |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 384 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwwCi&sid=56QbZR6DBW5xyl8ZAAAI HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 15:52:02 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwxEx&sid=gtj3LP0dVW0EBut-AAAK |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 384 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwxEx&sid=gtj3LP0dVW0EBut-AAAK HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 15:52:06 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwxzZ&sid=C1F_EdQzCNJXfH1dAAAM |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 435 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwxzZ&sid=C1F_EdQzCNJXfH1dAAAM HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
Cookie: language=en; cookieconsent_status=dismiss
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 15:52:09 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwy5H&sid=HUDrpu7FejAYX2EcAAAN |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 435 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLwy5H&sid=HUDrpu7FejAYX2EcAAAN HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
Cookie: language=en; welcomebanner_status=dismiss
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 15:52:10 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| Instances |
21 |
| Solution |
Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
|
| Reference |
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
http://www.w3.org/TR/CSP/
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
http://caniuse.com/#feat=contentsecuritypolicy
http://content-security-policy.com/
|
| Tags |
OWASP_2021_A05
OWASP_2017_A06
|
| CWE Id |
693 |
| WASC Id |
15 |
| Plugin Id |
10038 |